Stay Informed
of New Reports
Twitter
Where To Report Waste
Fraud, Abuse, Or Retaliation
Where To Report Waste Fraud, Abuse, Or Retaliation

2024 Federal Information Security Modernization Act

Submitting OIG: 
Tennessee Valley Authority OIG
Report Description: 
The Federal Information Security Modernization Act of 2014 (FISMA) requires each agency’s Inspector General (IG) to conduct an annual independent evaluation to determine the effectiveness of the information security program (ISP) and practices of its respective agency. Our objective was to determine the effectiveness of the Tennessee Valley Authority’s (TVA) ISP and practices as defined by the FY 2023 – 2024 IG FISMA Reporting Metrics. Our audit scope was limited to answering the fiscal year (FY) 2024 IG metrics, which include 20 core IG metrics and 17 supplemental IG metrics. The FISMA methodology considers metrics at a level 4 (managed and measurable) or higher to be at an effective level of security. Based on our analysis of the FY 2024 IG metrics and associated maturity models, we determined TVA's ISP and practices were operating in an effective manner as defined by the FY 2023 – 2024 IG FISMA Reporting Metrics. However, we identified areas for improvement in both the core and supplemental metrics to further improve TVA’s ISP and practices.
Date Issued: 
Friday, August 30, 2024
Agency Reviewed / Investigated: 
Tennessee Valley Authority
Submitting OIG-Specific Report Number: 
2024-17494
Location(s): 
Agency-Wide
Type of Report: 
Audit
Questioned Costs: 
$0
Funds for Better Use: 
$0
Number of Recommendations: 
4
Report updated under NDAA 5274: 
No
View Document: 
AttachmentSize
PDF icon 2024-17494.pdf3.78 MB

Related Open Recommendations

Recommendation Number Recommendation Status Significant Recommendation Additional Details
1 Open No
We recommend the Vice President and Chief Information and Digital Officer, Technology and Innovation, implement automated monitoring via DHS’ Continuous Diagnostics and Mitigation program for components applicable to TVA’s information security continuous monitoring strategy and update processes for developing and maintaining an accurate and complete inventory of TVA’s information systems to include automation and near real-time updates.
2 Open No
We recommend the Vice President and Chief Information and Digital Officer, Technology and Innovation, implement, assess, and maintain common secure configuration settings for all information systems.
3 Open No
We recommend the Vice President and Chief Information and Digital Officer, Technology and Innovation, define, consistently implement, and communicate qualitative and quantitative performance measures on the effectiveness of its configuration management plan.
4 Open No
We recommend the Vice President and Chief Information and Digital Officer, Technology and Innovation, perform the configuration management roles and responsibilities that have been defined for common secure configurations, enterprise-wide configuration management plans, and flaw remediation processes.
Displaying 4 of 4 Recommendations